diff --git a/clients/sentry-1.json b/clients/sentry-1.json new file mode 100644 index 0000000..3463d52 --- /dev/null +++ b/clients/sentry-1.json @@ -0,0 +1,4 @@ +{ + "name": "sentry-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZFwP58ym+92YFa0adU3\nVGEJW13NkfaHChx+akB3IioSPKyJ9eOXEI8pOmU3QyqOUKSbqth78DY84hobXlqs\n4O0A7TV029uepcj5zPN047gDsV1TJ6Dakma5eH+Pe5kP/TigCEOF0Cgo+fqtEBEJ\nT/rhSs3zHD1EfBnZdyj/7YyeDv1XLWI8dXoizDUAoBSCDeJ5d7fG56zmFYLV05Ex\nMrjJuHitEmeJXTZABKstRbEd+3Rld+gfJZ/jI4djEW2j1EKAYMT1SxoXdjKlCrpQ\nGux2RSe+Gspt1hyp/flU5gHGO+qLDNSU9tZInClToyFMVBfoW8kWg28Gm2kGkIvr\npQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/environments/production.json b/environments/production.json index 6c44e15..f0d6f1c 100644 --- a/environments/production.json +++ b/environments/production.json @@ -36,6 +36,9 @@ "alternate_domains": [ "mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion" ] + }, + "sentry": { + "allowed_ips": "10.1.1.0/24" } } } diff --git a/nodes/sentry-1.json b/nodes/sentry-1.json new file mode 100644 index 0000000..a037ffb --- /dev/null +++ b/nodes/sentry-1.json @@ -0,0 +1,63 @@ +{ + "name": "sentry-1", + "chef_environment": "production", + "normal": { + "knife_zero": { + "host": "10.1.1.132" + } + }, + "automatic": { + "fqdn": "sentry-1", + "os": "linux", + "os_version": "5.4.0-1087-kvm", + "hostname": "sentry-1", + "ipaddress": "192.168.122.251", + "roles": [ + "base", + "kvm_guest", + "sentry" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::guest", + "kosmos_sentry", + "kosmos_sentry::default", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.10.3", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "role[base]", + "role[kvm_guest]", + "role[sentry]" + ] +} \ No newline at end of file diff --git a/roles/sentry.rb b/roles/sentry.rb new file mode 100644 index 0000000..cd16bca --- /dev/null +++ b/roles/sentry.rb @@ -0,0 +1,11 @@ +name "sentry" + +default_run_list = %w( + kosmos_sentry::default +) + +env_run_lists( + '_default' => default_run_list, + 'development' => default_run_list, + 'production' => default_run_list +) diff --git a/site-cookbooks/kosmos_sentry/.gitignore b/site-cookbooks/kosmos_sentry/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/site-cookbooks/kosmos_sentry/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/site-cookbooks/kosmos_sentry/LICENSE b/site-cookbooks/kosmos_sentry/LICENSE new file mode 100644 index 0000000..fc26797 --- /dev/null +++ b/site-cookbooks/kosmos_sentry/LICENSE @@ -0,0 +1,20 @@ +Copyright (c) 2023 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos_sentry/attributes/default.rb b/site-cookbooks/kosmos_sentry/attributes/default.rb new file mode 100644 index 0000000..e2d456c --- /dev/null +++ b/site-cookbooks/kosmos_sentry/attributes/default.rb @@ -0,0 +1,9 @@ +node.default["sentry"]["repo"] = "https://github.com/getsentry/self-hosted" +node.default["sentry"]["revision"] = "master" +node.default["sentry"]["port"] = 80 +node.default["sentry"]["retention_days"] = 90 +node.default["sentry"]["allowed_ips"] = nil +# The Sentry setup requires docker-compose >= 1.28, which is newer than the +# latest stable version for Ubuntu 20.04 +node.default["sentry"]["docker-compose"]["version"] = "2.17.0" +node.default["sentry"]["docker-compose"]["checksum"] = "65edee934d988471c40ef31305731dbb4381d3cb0aeea13342119b61772f85e2" diff --git a/site-cookbooks/kosmos_sentry/chefignore b/site-cookbooks/kosmos_sentry/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/site-cookbooks/kosmos_sentry/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_sentry/metadata.rb b/site-cookbooks/kosmos_sentry/metadata.rb new file mode 100644 index 0000000..bd42aa7 --- /dev/null +++ b/site-cookbooks/kosmos_sentry/metadata.rb @@ -0,0 +1,12 @@ +name 'kosmos_sentry' +maintainer 'Kosmos Contributors' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/configures Sentry' +version '0.1.0' +chef_version '>= 16.0' +issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' +source_url 'https://gitea.kosmos.org/kosmos/chef' + +depends 'git' +depends 'firewall' diff --git a/site-cookbooks/kosmos_sentry/recipes/default.rb b/site-cookbooks/kosmos_sentry/recipes/default.rb new file mode 100644 index 0000000..54fe721 --- /dev/null +++ b/site-cookbooks/kosmos_sentry/recipes/default.rb @@ -0,0 +1,82 @@ +# +# Cookbook:: kosmos_sentry +# Recipe:: default +# + +package "docker" + +remote_file "/usr/local/bin/docker-compose" do + source "https://github.com/docker/compose/releases/download/v#{node["sentry"]["docker-compose"]["version"]}/docker-compose-linux-x86_64" + checksum node["sentry"]["docker-compose"]["checksum"] + mode '0755' +end + +deploy_path = "/opt/sentry" + +git deploy_path do + repository node["sentry"]["repo"] + revision node["sentry"]["revision"] +end + +# TODO +# Automatically run install script if sentry/sentry.conf.py does not exist yet + +env_config = { + sentry_event_retention_days: node["sentry"]["retention_days"], + sentry_bind: node["sentry"]["bind"] || node["sentry"]["port"], + # Default values from upstream + compose_project_name: "sentry-self-hosted", + sentry_image: "getsentry/sentry:nightly", + snuba_image: "getsentry/snuba:nightly", + relay_image: "getsentry/relay:nightly", + symbolicator_image: "getsentry/symbolicator:nightly", + wal2json_version: "latest", + healthcheck_interval: "30s", + healthcheck_timeout: "60s", + healthcheck_retries: "10" +} + +template "#{deploy_path}/.env.custom" do + source 'env.custom.erb' + mode 0600 + sensitive true + variables config: env_config + notifies :restart, "service[sentry]", :delayed +end + +systemd_unit "sentry.service" do + content({Unit: { + Description: "Sentry service using Docker Compose", + Requires: "docker.service", + After: "docker.service", + }, + Service: { + Type: "oneshot", + RemainAfterExit: "true", + WorkingDirectory: deploy_path, + ExecStart: "docker-compose --env-file #{deploy_path}/.env.custom up -d --remove-orphans", + ExecStop: "docker-compose stop", + StandardOutput: "syslog" + }, + Install: { + WantedBy: "multi-user.target" + }}) + verify false + triggers_reload true + action [:create] +end + +service "sentry" do + action [:enable, :start] +end + +include_recipe 'firewall' + +firewall_rule 'sentry' do + port node["sentry"]["port"] + protocol :tcp + command :allow + if node["sentry"]["allowed_ips"] + source node["sentry"]["allowed_ips"] + end +end diff --git a/site-cookbooks/kosmos_sentry/templates/default/env.custom.erb b/site-cookbooks/kosmos_sentry/templates/default/env.custom.erb new file mode 100644 index 0000000..4b1faa5 --- /dev/null +++ b/site-cookbooks/kosmos_sentry/templates/default/env.custom.erb @@ -0,0 +1,11 @@ +<% @config.each do |key, value| %> +<% if value.is_a?(Hash) %> +<% value.each do |k, v| %> +<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %> +<% end %> +<% else %> +<% if value %> +<%= key.upcase %>=<%= value.to_s %> +<% end %> +<% end %> +<% end %>